mirrors/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
6832deb8ff
qemu/hw/net
History
Jason Wang abe300d9d8 virtio-net: fix map leaking on error during receive 
Commit bedd7e93d0 ("virtio-net: fix use after unmap/free for sg")
tries to fix the use after free of the sg by caching the virtqueue
elements in an array and unmap them at once after receiving the
packets, But it forgot to unmap the cached elements on error which
will lead to leaking of mapping and other unexpected results.

Fixing this by detaching the cached elements on error. This addresses
CVE-2022-26353.

Reported-by: Victor Tom <vv474172261@gmail.com>
Cc: qemu-stable@nongnu.org
Fixes: CVE-2022-26353
Fixes: bedd7e93d0 ("virtio-net: fix use after unmap/free for sg")
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
2022-03-15 13:57:44 +08:00
..
can Remove unnecessary minimum_version_id_old fields 2022-01-28 15:38:23 +01:00
fsl_etsec Mark remaining global TypeInfo instances as const 2022-02-21 13:30:20 +00:00
rocker
allwinner_emac.c
allwinner-sun8i-emac.c dma: Let dma_memory_read/write() take MemTxAttrs argument 2021-12-30 17:16:32 +01:00
cadence_gem.c
dp8393x.c
e1000_regs.h
e1000.c e1000: fix tx re-entrancy problem 2021-11-05 11:31:42 +08:00
e1000e_core.c hw/net: e1000e: Clear ICR on read when using non MSI-X interrupts 2022-02-14 11:50:44 +08:00
e1000e_core.h
e1000e.c
e1000x_common.c
e1000x_common.h
eepro100.c pci: Let ld*_pci_dma() propagate MemTxResult 2021-12-31 01:05:27 +01:00
etraxfs_eth.c
ftgmac100.c dma: Let dma_memory_read/write() take MemTxAttrs argument 2021-12-30 17:16:32 +01:00
i82596.c
i82596.h
imx_fec.c dma: Let dma_memory_read/write() take MemTxAttrs argument 2021-12-30 17:16:32 +01:00
Kconfig
lan9118.c
lance.c
lasi_i82596.c
mcf_fec.c
meson.build hw/net: Move MV88W8618 network device out of hw/arm/ directory 2022-01-20 11:47:52 +00:00
mipsnet.c
msf2-emac.c
mv88w8618_eth.c hw/net: Move MV88W8618 network device out of hw/arm/ directory 2022-01-20 11:47:52 +00:00
ne2000-isa.c hw/isa: Inline and remove one-line isa_init_irq() 2022-03-08 19:38:17 +01:00
ne2000-pci.c
ne2000.c
ne2000.h
net_rx_pkt.c
net_rx_pkt.h
net_tx_pkt.c
net_tx_pkt.h
npcm7xx_emc.c dma: Let dma_memory_read/write() take MemTxAttrs argument 2021-12-30 17:16:32 +01:00
opencores_eth.c
pcnet-pci.c
pcnet.c
pcnet.h
rtl8139.c
smc91c111.c
spapr_llan.c
stellaris_enet.c
sungem.c
sunhme.c
trace-events hw/net: e1000e: Clear ICR on read when using non MSI-X interrupts 2022-02-14 11:50:44 +08:00
trace.h
tulip.c pci: Let ld*_pci_dma() propagate MemTxResult 2021-12-31 01:05:27 +01:00
tulip.h
vhost_net-stub.c Revert "virtio-net: add support for configure interrupt" 2022-01-10 16:00:54 -05:00
vhost_net.c Revert "virtio-net: add support for configure interrupt" 2022-01-10 16:00:54 -05:00
virtio-net.c virtio-net: fix map leaking on error during receive 2022-03-15 13:57:44 +08:00
vmware_utils.h
vmxnet3_defs.h
vmxnet3.c hw/net/vmxnet3: Log guest-triggerable errors using LOG_GUEST_ERROR 2022-02-14 11:50:44 +08:00
vmxnet3.h
vmxnet_debug.h
xen_nic.c
xgmac.c
xilinx_axienet.c
xilinx_ethlite.c